Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part II Page 34 of 425 98. For each category of reportable incident, the NCIRF also states the reporting flow and timing requirements for the Sector Lead or its Computer Emergency Response Team (“CERT”) to report the incident to CSA. 11 IHIS’ INTERNAL FRAMEWORK FOR INCIDENT REPORTING AND RESPONSE 99. The main policy document governing IT security in the healthcare sector, including in the Clusters, is the Healthcare IT Security Policy and Standards Version 3.0 (“HITSPS”) 10 . The HITSPS was developed under the charge of Kim Chuan (when he was Director of the Identity & Security Services Department within MOHH ISD) and Francis (the former IHiS Group Director (Technology Management. Broadly, it prescribes IT security policies, technical security standards and processes to be implemented by the PHIs. Relevant to the Inquiry are policies within the HITSPS pertaining to user-ID management, password management, and technical vulnerability management (vulnerability and penetration tests. 100. The HITSPS states that the reporting timelines and escalation processes for all IT security incidents shall be as per two documents, namely (i) the Healthcare IT Security Incident Response Framework (“SIRF”) and (ii) the Cluster IT Security Incident Response SOP (“IR-SOP”). 101. It must be highlighted that the SIRF and IR-SOP are meant primarily for the sector-to-CII level, and it is for the Cluster GCIOs and their IT leads to develop lower level processes to comply with their requirements. There is also no written protocol for how IHiS staff who discover an IT security incident affecting a Cluster’s assets are to assess and report the matter. 10 IHiS plans to update HITSPS by issuing HITSPS Version 4.0, and provided in its evidence a draft of Version 4.0, dated October 2017.
